🕺
CheatSheets
  • Introduction
  • Getting Started With Hacking
  • VMs on Mac
  • Windows
    • Enumeration
    • Local Privilege Escalation
    • UAC Bypasses
    • Persistance
    • Networking
  • Active Directory
    • Offensive Powershell
    • Enumeration
      • BloodHound
    • Lateral Movement
    • Escalation
      • ACL Abuse
      • Kerberoasting
      • Un-Constrained Delegation
      • JEA
    • Persistance
    • Mimikatz
    • Alternate Cred Dumps
    • MSSQL
    • Defences and Bypasses
    • Setting Up a Lab
  • Red Teaming
    • Phishing Payloads
    • Cobalt Strike
    • Metasploit
    • Sliver
  • Linux
    • Networking
    • Enumeration
    • Local Privilege Escalation
    • Persistance
    • MySQL
  • Mainframes
    • HP Nonstop
    • IBM z/OS
  • Cloud
    • AWS
    • GCP
    • Azure
  • Web App
    • Tomcat
    • SQLMap
    • PHP
  • Mobile
    • Android
    • iOS
  • Exploit-Dev
    • Linux
      • Basic Stack Overflows
      • Bypassing NX (DEP)
      • Bypassing ASLR
    • Shellcode
    • Windows
  • WiFi
    • Alfa AWUS036ACH Setup
    • Aircrack-ng
Powered by GitBook
On this page
  • Port Scanning
  • Port Forwarding
  • Firewalls
  • Enabling PsRemoting (WinRM)
  • Enabling CredSSP
  • Hyper-V
  • SMB Null Session

Was this helpful?

  1. Windows

Networking

Port Scanning

Powershell Ping Sweep

1..20 | % {"192.168.1.$($_): $(Test-Connection -count 1 -comp 192.168.1.$($_) -quiet)"}

Powershell Testing ports

Test-NetConnection -computername UFC-WEBPROD -Port 80

Port Forwarding

# Listen address is local ip of machine that will be proxy, connect address is target
netsh interface portproxy add v4tov4 listenaddress=192.168.250.10 listenport=443 connectaddress=192.168.250.22 connectport=443

Firewalls

Listing Rules

netsh firewall show opmode

Disabling Firewall

netsh firewall set opmode mode=disable

Allowing Rule

Enabling PsRemoting (WinRM)

Enabling CredSSP

Hyper-V

Listing VMs

Get-VM

Get Info on Running VMs

# Show properties
get-vm -name vault-db |format-list *

# Get IP
get-vm -Name vault-db | Select -ExpandProperty Networkadapters

Manage VMs

# Pass creds as object
$username = "<domain>\<username>"
$password = ConvertTo-SecureString "<password>" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password)

# Invoke Command on a VM using creds
invoke-command -vmname <vmname> -credential $cred -scriptblock {whoami}

# Enter-PSSession
Enter-PSSession -VMName <vmname> -Credential $cred

Mounting VM Disk Image

# Stop VM
Stop-VM -Name vault-dc

# Mount VM and list partition
Mount-VHD -Path 'C:\Users\Public\Documents\Hyper-V\Virtual hard disks\vault-dc.vhdx' -PassThru | Get-Disk | Get-Partition | Get-Volume

# Show drives
Get-PSDrive

SMB Null Session

enum4linux -n <IP>
enum4linux -a <IP>

# connect with smbclient and list shares
smbclient -L WORKGROUP -I <IP> -N -U ""

# Connect to shares
smbclient \\\\<IP>\\<SHARE> -N

# download
get <FILE>

# Upload
put <FILE>
PreviousPersistanceNextOffensive Powershell

Last updated 4 years ago

Was this helpful?